This article was produced in partnership with Tokio Marine HCC – Cyber & Professional Lines Group.
Gia Snape, of Insurance Business America, sat down with Catherine Lyle, SVP of cyber claims and incident response, for Tokio Marine HCC—Cyber & Professional Lines Group (TMHCC), a member of the Tokio Marine HCC group of companies based in Houston, Texas, to discuss a startling trend in cyber that is leading to a growing number of funds transfer fraud cases and how brokers can help their clients protect themselves.
Ransomware attacks can be devastating to organizations, forcing them to pay enormous sums to secure their data or systems. But there’s another cyber trend that’s drawing concern because of massive payouts: business email compromise (BEC).
While it’s a common tactic by cybercriminals, business email compromise can often lead to funds transfer fraud – a crime that one cyber claims specialist has dubbed “death by a thousand cuts.”
“The money is gone unless you have an entity helping you recover it,” Catherine Lyle (pictured), SVP of cyber claims and incident response, said. “Compare that with a ransomware attack where the demand is $5 million and might be negotiated down to $500,000.”
Unlike ransomware attacks, which often involve large ransom demands that can be negotiated, funds transfer fraud entails a series of smaller but equally devastating financial losses. Worse, BEC attacks also usually go undetected until it is too late.
“In a BEC event, a company could transfer $200,000 in May, $200,000 in June, and $200,000 in July. There’s no negotiation with that threat actor,” illustrated Lyle.
“With ransomware, you also have backups that you could use. There’s no backup for funds transfer fraud. While your insurance carrier and law enforcement can help, there’s no guarantee that money is coming back. [With BEC], there’s only so much you can recover.”
BEC events that result in the fraudulent transfer of funds typically occur when a threat actor (TA) uses email to trick an employee into making unauthorized fund transfers.
A BEC usually starts with a phishing attack involving fraudulent emails crafted with meticulous attention to detail. Ultimately, when successful, the phishing campaign grants access to the TA to the employee’s email account.
When in the account, the TA will search for invoices that are due and change the banking information. Unwitting employees, believing they are following legitimate instructions, transfer funds directly into the hands of cybercriminals.
The success of BEC attacks hinges on exploiting trust and familiarity within an organization’s email system.
Cybercriminals manipulate employees into bypassing established protocols and authorizing fraudulent transactions by impersonating trusted individuals and leveraging social engineering tactics.
“They play monkey in the middle,” Lyle said. “They pick out the right invoice and trick the person because they’re already in the email system.”
Lyle stressed that the damage is done once funds are transferred into fraudulent accounts, and recovering the stolen funds becomes an uphill battle.
According to Lyle, critical vulnerabilities in the US banking system are exacerbating the risk of funds transfer fraud for organizations.
Unlike systems in other countries like the UK, which require a name-to-name and account-to-account match for wire transfers, US banks only require an account-to-account match. This oversight enables cyber criminals to exploit loopholes.
“As long as the person enters the fraudulent account number and it matches the receiving bank’s account number, the transfer goes through. For example, if the wire instruction says it’s supposed to go to a company’s bank account, it can still end up in a completely different named account because the account numbers are the same,” Lyle said.
“If the American banking system could change, I would hazard to guess that 90% of these would stop. Because a TA would need to get incorporation documents to open a real account in that entity’s name, which is much harder.”
US banks could also implement more robust verification processes for wire transfers to prevent fraudulent transfers. Lyle suggested deploying transaction monitoring systems that detect unusual or suspicious patterns, such as unexpected changes in beneficiary details or transfer amounts.
Banks can also enhance the verification process by requiring verbal confirmation from account holders or implementing dual authorization for high-value transactions.
For organizations to combat BEC and funds transfer fraud effectively, TMHCC advocates for a “multi-faceted” approach encompassing cybersecurity solutions and risk management strategies.
Lyle said brokers should encourage their clients to implement robust cybersecurity training among employees, use multi-factor authentication and email authentication protocols, and routinely patch their software and systems to fortify their businesses against cyberattacks.
She also stressed how a “culture of skepticism” can help fend off fraudsters.
“If there is a new bill payment request, you should call the requester and say, ‘Did you mean to send me this?’ Or if a vendor says they’re changing their billing, you should call that entity; don’t just email them back,” Lyle said.
“Those protocols are super important, in addition to all the cybersecurity changes that entities can make that aren’t sophisticated or expensive.”
Tokio Marine HCC – Cyber & Professional Lines Group specializes in providing tailored cyber solutions for clients in both prevention and response. Find out more on tmhcc.com/cyber.
Tokio Marine HCC was recognized as the The Top Cyber Insurance Companies in the USA. Read the full report here.